<html>
<head><meta charset="utf-8"><title>Safety of `offset` when working with MMIO · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html">Safety of `offset` when working with MMIO</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="181180416"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181180416" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181180416">(Nov 20 2019 at 05:11)</a>:</h4>
<p>So if you have some MMIO memory, and you make a pointer to the start of it, and then you call <code>offset</code>, what happens? Specifically, do you get UB from calculating the new address or not?</p>



<a name="181184649"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181184649" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hadrien Grasland <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181184649">(Nov 20 2019 at 07:12)</a>:</h4>
<p>I guess you shouldn't be in an UB situation, because you're in bounds of the MMIO allocation. Whether you actually don't get miscompilation however, is a different question, since LLVM does not really have a clear knowledge of that allocation.</p>



<a name="181184684"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181184684" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hadrien Grasland <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181184684">(Nov 20 2019 at 07:13)</a>:</h4>
<p>I remember <span class="user-mention" data-user-id="120791">@RalfJ</span> showing me a scary LLVM presentation about how they had to badly special-case pointers originating from integers in order to refrain from mangling them in GEP inbounds and friends... which also mentioned that the special-case code unsurprisingly had bugs.</p>



<a name="181227334"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181227334" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181227334">(Nov 20 2019 at 17:06)</a>:</h4>
<p>yeah... good question. very hard to answer. this would be hard to answer even if we had a formal spec of Rust already, and we don't. ;)</p>



<a name="181227452"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181227452" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181227452">(Nov 20 2019 at 17:07)</a>:</h4>
<p>but I would say that MMIO memory is "inbounds" for all intents and purposes (you are accessing it, after all). so as long as you make sure that MMIO memory does not overlap with any memory the R-AM knows about, and that you follow <code>offset</code>'s "inbounds" rules using the bound of the MMIO region, you should be good.</p>



<a name="181227486"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181227486" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181227486">(Nov 20 2019 at 17:07)</a>:</h4>
<p>by "knows about" I specifically mean "Rust allocations" -- stack and heap and statics</p>



<a name="181231021"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181231021" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181231021">(Nov 20 2019 at 17:43)</a>:</h4>
<p>That is also how I feel things should be. Though in practice I am concerned that some parts of LLVM may be tempted to infer from "a GEPi is executed" that "the base pointer is <code>dereferenceable</code>" which for MMIO of course isn't so great</p>



<a name="181231244"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181231244" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181231244">(Nov 20 2019 at 17:45)</a>:</h4>
<p>Oh wait, nevermind, GEPi only returns poison if the inbounds condition is violated, so that would be unsound anyway.</p>



<a name="181289444"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181289444" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181289444">(Nov 21 2019 at 09:53)</a>:</h4>
<p>How are you obtaining the pointer to MMIO ?</p>



<a name="181289500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181289500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181289500">(Nov 21 2019 at 09:54)</a>:</h4>
<p>I expect that API to give you a “fresh” allocation.</p>



<a name="181289530"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181289530" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181289530">(Nov 21 2019 at 09:54)</a>:</h4>
<p>For example, mmap gives you a noalias pointer to new virtual memory - independently of whether it is IPC shared or not. From LLVM POV thatsa fresh allocation.</p>



<a name="181289550"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181289550" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181289550">(Nov 21 2019 at 09:55)</a>:</h4>
<p>You can use the Alloc size hints to tell LLVM about the size of the allocation at run time</p>



<a name="181289655"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181289655" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181289655">(Nov 21 2019 at 09:56)</a>:</h4>
<p>(notice that noalias in return position is different than in argument position)</p>



<a name="181717700"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181717700" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181717700">(Nov 23 2019 at 14:23)</a>:</h4>
<p>The pointer is just a usize cast to the right type.</p>



<a name="181817364"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181817364" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181817364">(Nov 25 2019 at 12:29)</a>:</h4>
<p>That's fine then.</p>



<a name="181817427"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181817427" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181817427">(Nov 25 2019 at 12:30)</a>:</h4>
<p>We assume that you will do pointer arithmetic in bounds of the allocation.</p>



<a name="181817442"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181817442" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181817442">(Nov 25 2019 at 12:30)</a>:</h4>
<p>If the assumption is incorrect, your code might get misoptimized, but if the assumption is correct, everything works out - if your code gets misoptimized, Rust or LLVM have a bug.</p>



<a name="181817580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181817580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181817580">(Nov 25 2019 at 12:32)</a>:</h4>
<p>(deleted)</p>



<a name="181817790"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181817790" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181817790">(Nov 25 2019 at 12:35)</a>:</h4>
<p>Or in other words, you only get UB for doing pointer arithmetic that's out-of-bound of the actual allocation.</p>



<a name="181820491"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety%20of%20%60offset%60%20when%20working%20with%20MMIO/near/181820491" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Safety.20of.20.60offset.60.20when.20working.20with.20MMIO.html#181820491">(Nov 25 2019 at 13:10)</a>:</h4>
<p>well you also have to account for the aliasing rules, but since it looks like everything here is raw ptrs those shouldn't come into play</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>